Understanding Security Issues as Pa2erns in Data
Mark Seward, Director, Security and Compliance Marke=ng
© Copyright Splunk 2011 2 The 2nd Annual Splunk Worldwide Users’ Conference
A ShiA in A2ack Vectors
Known signatures
based threats and a2acks
Time Today 1998
Unknown behavior based
a2acks
1998
Data Explosion (‘Big-‐data’)
2005
Dat
a Vo
lum
e
The increasing number of a2ack signatures
Splunk meets the challenge of detec=ng pa2ern-‐based behaviors in a ‘Big-‐data’ context
© Copyright Splunk 2011 3 The 2nd Annual Splunk Worldwide Users’ Conference
ü A move to a behavioral approach demands more emphasis on people and less on pure technology
ü Behavioral approaches to security require a con=nuous applica=on of human observa=on and judgment
ü Allows the analyst is to take the “actor view” to understanding the goals and methods of persistent adversaries
ü Requires you to baseline pa2erns of normal or expected behavior; select thresholds and triggers that will alert administrators to suspicious ac=vi=es
Beyond Signatures and Rules: People Trump Technology in a Behavioral Approach
Implemen=ng a Pa2ern-‐based Strategy
for Security
© Copyright Splunk 2011 5 The 2nd Annual Splunk Worldwide Users’ Conference
ü Splunk supports pa2ern modeling and adapta=on for security for insider threats, fraud scenarios, and persistent adversaries
ü Pa2erns enable a risk-‐based approach to an=cipate a2ack vectors and a2ack pa2erns and behaviors
Enabling a Pa2ern-‐based Strategy for Security
Seek -- activity and access patterns that contain the weak signals of a potential threat Model -- implement analytics and assessment to determine which patterns present greater risk to the organization by qualifying and quantifying the impact Adapt -- action to protect users, accounts, data and infrastructure from the threat that was discovered and assessed in the previous phases
Gartner Research © 2010
© Copyright Splunk 2011 6 The 2nd Annual Splunk Worldwide Users’ Conference
App Mgmt
Web Analy/cs Security IT
Ops
Security Event Pa2erns in Context Augmented View Security Events ü View the web analy=cs data pa2erns as
part of the web applica=on a2ack ü Monitor changes in server/applica=on
performance (CPU) against a baseline as an indicator of an a2ack
ü Understand authorized pa2erns of changes/ addi=ons to configura=ons and user accounts part of fraud surveillance
Security is a Big Data Problem with no boundaries from on-premise to ‘cloud’
© Copyright Splunk 2011 7 The 2nd Annual Splunk Worldwide Users’ Conference
ü Rules View – Breaking the speed limit – If one or more of these things happen let me know – Watches for only what is known – No concept of what is ‘normal’
ü Pa2erns view – Watches for rhythms in your data over =me against what is ‘normal’ (normal will not be sta=c)
– Takes advantage of ‘weak signals’ from non-‐tradi=onal security data
– Watches for what you don’t know – Pa2erns + Analy=cs enables decisions
How is this Different from Tradi=onal SIEM?
Patterns allow for data to be viewed as a reflection of human
behavior over time
Analy=cs and data pa2erns in prac=ce
© Copyright Splunk 2011 9 The 2nd Annual Splunk Worldwide Users’ Conference
ü DoS a2acks at the network layer are massive floods of traffic from numerous sources, designed to overwhelm resources
ü DoS a2acks at the applica=on layer target layer-‐7 and the HTTP protocol
DoS A2acks
Recent
© Copyright Splunk 2011 10 The 2nd Annual Splunk Worldwide Users’ Conference
ü Source addresses usually spoofed – this also means no TCP session establishment possible
ü True iden=ty of source very difficult to obtain
ü A2acks of significance generally from a botnet ü TCP and UDP most common; ICMP happens as well
Common Anatomy of a Typical DoS
© Copyright Splunk 2011 11 The 2nd Annual Splunk Worldwide Users’ Conference
ü Client issues an HTTP POST to a server ü Client says “I’m going to post a gig of data.” ü Client sends the Host a gig but only 1 byte – 1 minute ü Service waits for the data transfer ü Usually in just a couple of minutes – La Morte
HTTP Slow POST A2ack
© Copyright Splunk 2011 12 The 2nd Annual Splunk Worldwide Users’ Conference
Dashboard – HTTP Slow POST
Slow Post Attack
© Copyright Splunk 2011 13 The 2nd Annual Splunk Worldwide Users’ Conference
ü Host opens a connec=on to a server but doesn’t send a single byte ü Each connec=on =es/up an Apache process. ü Apache waits for the connec=on =me out to expire then closes the connec=on
ü Connec=ons fill up the Queue faster than they =me out ü Default connec=on queue for Apache is set to 511
Connec=on Exhaus=on Based A2acks
© Copyright Splunk 2011 14 The 2nd Annual Splunk Worldwide Users’ Conference
Dashboard – Connec=on Exhaus=on
Attacks detected
© Copyright Splunk 2011 15 The 2nd Annual Splunk Worldwide Users’ Conference
Example: Time-‐based Pa2ern-‐detec=on for Malware Ac=vity Discovery
Pa2ern: request for download immediately followed by more requests ü Fast requests following the download of a
PDF, java, zip, or exe. If a download is followed by rapid requests for more files this is a poten=al indicator of a dropper.
Splunk pa2ern search ü Time based transac=ons sorted by length ü source=proxy [search file=*.pdf OR
file=*.exe | dedup clien=p | table clien=p] | transac=on maxspan=60s maxpause=5s clien=p | eval Length=len(_raw) | sort -‐ Length
© Copyright Splunk 2011 16 The 2nd Annual Splunk Worldwide Users’ Conference
Example: Pa2erns of Beaconing Hosts to Command and Control
Pa2ern: ü APT malware ‘beacons’ to command
and control at specific intervals
Splunk pa2ern search ü Watching for hosts that talk to the same
URL at the same interval every day
ü … | streamstats current=f last(_=me) as next_=me by site | eval gap = next_=me -‐ _=me | stats count avg(gap) var(gap) by site
ü What you’d be looking out for are sites that have a low var(gap) value.
Fraud Hand off to Intuit…
Other Pa2ern Uses
Intuit, Financial Services Division
Jaime Rodriguez, Senior Fraud Analyst, Intuit
© Copyright Splunk 2011 19 The 2nd Annual Splunk Worldwide Users’ Conference
Jaime Rodriguez ü Securing banks and financial ins=tu=ons since 1999 ü Presented and keynoted at numerous Informa=on Security conferences all around the US.
ü Contributor to a variety of open-‐source projects related to many of today's most popular security tools.
“Fraud team's goal is to provide fraud analysis on a proactive basis--we're currently reactive.”
© Copyright Splunk 2011 20 The 2nd Annual Splunk Worldwide Users’ Conference
Intuit—Financial Services Division ü One of largest providers of outsourced online financial management solu=ons ü Serving 1800+ financial ins=tu=ons and 4 million+ end customers ü Applica=ons include: - Consumer and business internet banking - Electronic bill payment and presentment - Personal online financial management - Website hos=ng and development for financial ins=tu=ons
© Copyright Splunk 2011 21 The 2nd Annual Splunk Worldwide Users’ Conference
All of Your Data Is Security Relevant ü Indexing our infrastructure: - Cisco Firewalls - Snort - App logs, WebSense - TippingPoint, IPS
ü Integra=ng data from outside partners: - Known fraud rings - Bad IP addresses - Bad actors
© Copyright Splunk 2011 22 The 2nd Annual Splunk Worldwide Users’ Conference
Splunk Speeds Remedia=on
• Previously had customized parser • Searches conducted in batch taking 3+ hours via chron job
• Reports came in piecemeal across 5000 emails with different syntax
• Only sophis=cated (aka highly-‐paid) users could track pa2erns
• Splunk provides a single view
• Role-‐based access provides secure views into data
• Customer service and banking customer teams can begin queries on their own—no wai=ng for access/ permission—no highly paid engineer required
• Results in 5 minutes
© Copyright Splunk 2011 23 The 2nd Annual Splunk Worldwide Users’ Conference
From Reac=ve to Proac=ve ü Using Splunk for historical analysis ü New fraud pa2erns iden=fied drive reviews of past 30 day / 90 day / all =me periods
ü As pa2erns emerge we build alerts when evidence of similar pa2erns of known fraudsters emerge (SMS, email)
ü Showing monthly trending ü We’ve modified our logs to be2er capture and expose the informa=on we need to see
© Copyright Splunk 2011 24 The 2nd Annual Splunk Worldwide Users’ Conference
Splunk for the Ops Team ü Outages unacceptable ü OAen caused by unauthorized change ü Splunk tracks changes to pinpoint issues for remedia=on ü Monitoring throughput and access for each financial ins=tu=on - Usages stats good for re-‐sell/ upsell
ü Dashboards show system health and performance—execs love visibility
© Copyright Splunk 2011 25 The 2nd Annual Splunk Worldwide Users’ Conference
Truth From The Trenches: Wire Transfers
ü Watching fraudster in real-‐=me—seeing $5M, $7M, $8M wire a2empts
ü Splunk exposed every element of our infrastructure that he touched
ü Next we could correlate ac=vi=es based on =me to understand his pa2ern of ac=vity
© Copyright Splunk 2011 26 The 2nd Annual Splunk Worldwide Users’ Conference
Truth from the Trenches: Geoloca=on
ü We no=ced a similar fraud pa2ern across 15 banks
ü Then we mapped them to see they were within 15 miles of one another
ü Fraud was coming from one data processing vendor who they all shared
© Copyright Splunk 2011 27 The 2nd Annual Splunk Worldwide Users’ Conference
The World of Compliance FFIEC • Federal Financial Institutions Exam Council • Ensures financial organizations follow uniform principles,
standards and methods of reporting • Splunk empowers auditors to ask—and us to quickly and easily answer—any question
SAS70 • Certification of standard controls, communications mechanisms
and monitoring procedures • Required by may financial services clients • Subset of Sarbanes Oxley Compliance
PCI • PCI: Payment card industry data security Standard • Promotes trust with customers • Required by various payment card providers
© Copyright Splunk 2011 28 The 2nd Annual Splunk Worldwide Users’ Conference
Ge~ng Started ü Just get started—Splunk is great out of the box for quick and dirty analysis
ü It only gets be2er when you customize it ü Demo Splunk to others—people are amazed at how much data and depth we can get based on pivo=ng
ü Follow the install guide! ü Consider how you’ll expand—and plan in advance for that expansion
ü Move to 4.2-‐-‐-‐it’s fast!
August 15, 2011
Ques=ons?
Jaime Rodriquez, Intuit